[CONC-762] mysql_stmt_fetch in cursor mode creates bind.length unitialized (MSAN) - Jira

Details

Type: Bug
Status: Open (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 3.4
Fix Version/s: 3.1.29, 3.3.16, 3.4.6
Component/s: Prepared Statements
Labels:
None
Environment:
clang-20.1, msan

Description

main-ab468e33aff110b44a31ce0350894906ff4bc757 with update C/C to b38e87200346c1ee5fd98c316bffb20df1ede5ff
$ mysql-test/mtr --cursor-protocol main.pool_of_threads

main.pool_of_threads [ fail ]
Test ended at 2025-03-26 00:08:02

CURRENT_TEST: main.pool_of_threads
==10504==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x55fb0384bf0c in append_stmt_result(st_dynamic_string, st_mysql_stmt, st_mysql_field*, unsigned int) /source/client/mysqltest.cc:7919:7
#1 0x55fb03850163 in read_stmt_results(st_mysql_stmt, st_dynamic_string, st_command*) /source/client/mysqltest.cc:8687:7
#2 0x55fb03851034 in run_query_stmt(st_connection, st_command, char, unsigned long, st_dynamic_string, st_dynamic_string*) /source/client/mysqltest.cc:8876:9
#3 0x55fb03853234 in run_query(st_connection, st_command, int) /source/client/mysqltest.cc:9675:5
#4 0x55fb0385660e in main /source/client/mysqltest.cc:10511:2
#5 0x7fe20b44c249 (/lib/x86_64-linux-gnu/libc.so.6+0x27249) (BuildId: c047672cae7964324658491e7dee26748ae5d2f8)
#6 0x7fe20b44c304 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x27304) (BuildId: c047672cae7964324658491e7dee26748ae5d2f8)
#7 0x55fb037861c0 in _start (/build/client/mariadb-test+0x9a1c0) (BuildId: 0b9fb605ba645cf724ec0c8c01d2243bbb89da9b)

Uninitialized value was stored to memory at
#0 0x55fb0384bf05 in append_stmt_result(st_dynamic_string, st_mysql_stmt, st_mysql_field*, unsigned int) /source/client/mysqltest.cc:7920:20
#1 0x55fb03850163 in read_stmt_results(st_mysql_stmt, st_dynamic_string, st_command*) /source/client/mysqltest.cc:8687:7
#2 0x55fb03851034 in run_query_stmt(st_connection, st_command, char, unsigned long, st_dynamic_string, st_dynamic_string*) /source/client/mysqltest.cc:8876:9
#3 0x55fb03853234 in run_query(st_connection, st_command, int) /source/client/mysqltest.cc:9675:5
#4 0x55fb0385660e in main /source/client/mysqltest.cc:10511:2
#5 0x7fe20b44c249 (/lib/x86_64-linux-gnu/libc.so.6+0x27249) (BuildId: c047672cae7964324658491e7dee26748ae5d2f8)

Memory was marked as uninitialized
#0 0x55fb037c35cd in __msan_allocated_memory (/build/client/mariadb-test+0xd75cd) (BuildId: 0b9fb605ba645cf724ec0c8c01d2243bbb89da9b)
#1 0x55fb03927209 in my_malloc /source/mysys/my_malloc.c:120:7
#2 0x55fb0384b8dd in append_stmt_result(st_dynamic_string, st_mysql_stmt, st_mysql_field*, unsigned int) /source/client/mysqltest.cc:7892:20
#3 0x55fb03850163 in read_stmt_results(st_mysql_stmt, st_dynamic_string, st_command*) /source/client/mysqltest.cc:8687:7
#4 0x55fb03851034 in run_query_stmt(st_connection, st_command, char, unsigned long, st_dynamic_string, st_dynamic_string*) /source/client/mysqltest.cc:8876:9
#5 0x55fb03853234 in run_query(st_connection, st_command, int) /source/client/mysqltest.cc:9675:5
#6 0x55fb0385660e in main /source/client/mysqltest.cc:10511:2
#7 0x7fe20b44c249 (/lib/x86_64-linux-gnu/libc.so.6+0x27249) (BuildId: c047672cae7964324658491e7dee26748ae5d2f8)

SUMMARY: MemorySanitizer: use-of-uninitialized-value /source/client/mysqltest.cc:7919:7 in append_stmt_result(st_dynamic_string, st_mysql_stmt, st_mysql_field*, unsigned int)
Exiting
mysqltest got signal 6
read_command_buf (0x731000000018): explain select fld3 from t2 ignore index (fld3) where fld3 = 'honeysuckle'

mysqltest.cc around "use of uninitalized variable" with final line "client/mysqltest.cc:7919"

    /* Allocate data for the result of each field */

    for (i= 0; i < num_fields; i++)

      uint max_length= fields[i].max_length + 1;

      my_bind[i].buffer_type= MYSQL_TYPE_STRING;

      my_bind[i].buffer= my_malloc(PSI_NOT_INSTRUMENTED, max_length,

                                   MYF(MY_WME|MY_FAE));

      my_bind[i].buffer_length= max_length;

      my_bind[i].is_null= &is_null[i];

      my_bind[i].length= &length[i];

      DBUG_PRINT("bind", ("col[%d]: buffer_type: %d, buffer_length: %lu",

                          i, my_bind[i].buffer_type, my_bind[i].buffer_length));

    if (mysql_stmt_bind_result(stmt, my_bind))

      die("mysql_stmt_bind_result failed: %d: %s",

          mysql_stmt_errno(stmt), mysql_stmt_error(stmt));

    while ((error=mysql_stmt_fetch(stmt)) == 0)

      for (i= 0; i < num_fields; i++)

        append_field(rs, i, &fields[i], (char*)my_bind[i].buffer,

                     *my_bind[i].length, *my_bind[i].is_null);

So my_bind wasn't fully initialized as the length and is_null where raw allocations. Is calling mysql_stmt_fetch meant to initialise all my_bind members?

Attachments

Issue Links

is part of

MDEV-20377 Make WITH_MSAN more usable

Closed

Activity

Ascending order - Click to sort in descending order

Daniel Black created issue - 2025-03-26 00:26

Daniel Black made changes - 2025-03-26 00:26

Field	Original Value	New Value
Link		This issue is part of ~~MDEV-20377~~ [ ~~MDEV-20377~~ ]

Daniel Black added a comment - 2025-03-26 04:13

or is this a caller responsibility? seems they weren't initialised there.

Applied the following appears to work:

diff --git a/client/mysqltest.cc b/client/mysqltest.cc

index d84e4faf47d..760f2101913 100644

--- a/client/mysqltest.cc

+++ b/client/mysqltest.cc

@@ -7890,9 +7890,9 @@ void append_stmt_result(DYNAMIC_STRING *ds, MYSQL_STMT *stmt,

   my_bind= (MYSQL_BIND*) my_malloc(PSI_NOT_INSTRUMENTED, num_fields * sizeof(MYSQL_BIND),

                                    MYF(MY_WME|MY_FAE|MY_ZEROFILL));

   length= (ulong*) my_malloc(PSI_NOT_INSTRUMENTED, num_fields * sizeof(ulong),

-                             MYF(MY_WME|MY_FAE));

+                             MYF(MY_WME|MY_FAE|MY_ZEROFILL));

   is_null= (my_bool*) my_malloc(PSI_NOT_INSTRUMENTED, num_fields * sizeof(my_bool),

-                                MYF(MY_WME|MY_FAE));

+                                MYF(MY_WME|MY_FAE|MY_ZEROFILL));

   /* Allocate data for the result of each field */

   for (i= 0; i < num_fields; i++)

Daniel Black added a comment - 2025-03-26 04:13 or is this a caller responsibility? seems they weren't initialised there. Applied the following appears to work: diff --git a/client/mysqltest.cc b/client/mysqltest.cc index d84e4faf47d..760f2101913 100644 --- a/client/mysqltest.cc +++ b/client/mysqltest.cc @@ -7890,9 +7890,9 @@ void append_stmt_result(DYNAMIC_STRING *ds, MYSQL_STMT *stmt, my_bind= (MYSQL_BIND*) my_malloc(PSI_NOT_INSTRUMENTED, num_fields * sizeof(MYSQL_BIND), MYF(MY_WME|MY_FAE|MY_ZEROFILL)); length= (ulong*) my_malloc(PSI_NOT_INSTRUMENTED, num_fields * sizeof(ulong), - MYF(MY_WME|MY_FAE)); + MYF(MY_WME|MY_FAE|MY_ZEROFILL)); is_null= (my_bool*) my_malloc(PSI_NOT_INSTRUMENTED, num_fields * sizeof(my_bool), - MYF(MY_WME|MY_FAE)); + MYF(MY_WME|MY_FAE|MY_ZEROFILL)); /* Allocate data for the result of each field */ for (i= 0; i < num_fields; i++)

Daniel Black made changes - 2025-03-26 04:16

Description

{noformat:title=main-ab468e33aff110b44a31ce0350894906ff4bc757 with update C/C to b38e87200346c1ee5fd98c316bffb20df1ede5ff}
$ mysql-test/mtr --cursor-protocol main.pool_of_threads

main.pool_of_threads [ fail ]
        Test ended at 2025-03-26 00:08:02

CURRENT_TEST: main.pool_of_threads
==10504==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x55fb0384bf0c in append_stmt_result(st_dynamic_string*, st_mysql_stmt*, st_mysql_field*, unsigned int) /source/client/mysqltest.cc:7919:7
    #1 0x55fb03850163 in read_stmt_results(st_mysql_stmt*, st_dynamic_string*, st_command*) /source/client/mysqltest.cc:8687:7
    #2 0x55fb03851034 in run_query_stmt(st_connection*, st_command*, char*, unsigned long, st_dynamic_string*, st_dynamic_string*) /source/client/mysqltest.cc:8876:9
    #3 0x55fb03853234 in run_query(st_connection*, st_command*, int) /source/client/mysqltest.cc:9675:5
    #4 0x55fb0385660e in main /source/client/mysqltest.cc:10511:2
    #5 0x7fe20b44c249 (/lib/x86_64-linux-gnu/libc.so.6+0x27249) (BuildId: c047672cae7964324658491e7dee26748ae5d2f8)
    #6 0x7fe20b44c304 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x27304) (BuildId: c047672cae7964324658491e7dee26748ae5d2f8)
    #7 0x55fb037861c0 in _start (/build/client/mariadb-test+0x9a1c0) (BuildId: 0b9fb605ba645cf724ec0c8c01d2243bbb89da9b)

  Uninitialized value was stored to memory at
    #0 0x55fb0384bf05 in append_stmt_result(st_dynamic_string*, st_mysql_stmt*, st_mysql_field*, unsigned int) /source/client/mysqltest.cc:7920:20
    #1 0x55fb03850163 in read_stmt_results(st_mysql_stmt*, st_dynamic_string*, st_command*) /source/client/mysqltest.cc:8687:7
    #2 0x55fb03851034 in run_query_stmt(st_connection*, st_command*, char*, unsigned long, st_dynamic_string*, st_dynamic_string*) /source/client/mysqltest.cc:8876:9
    #3 0x55fb03853234 in run_query(st_connection*, st_command*, int) /source/client/mysqltest.cc:9675:5
    #4 0x55fb0385660e in main /source/client/mysqltest.cc:10511:2
    #5 0x7fe20b44c249 (/lib/x86_64-linux-gnu/libc.so.6+0x27249) (BuildId: c047672cae7964324658491e7dee26748ae5d2f8)

  Memory was marked as uninitialized
    #0 0x55fb037c35cd in __msan_allocated_memory (/build/client/mariadb-test+0xd75cd) (BuildId: 0b9fb605ba645cf724ec0c8c01d2243bbb89da9b)
    #1 0x55fb03927209 in my_malloc /source/mysys/my_malloc.c:120:7
    #2 0x55fb0384b8dd in append_stmt_result(st_dynamic_string*, st_mysql_stmt*, st_mysql_field*, unsigned int) /source/client/mysqltest.cc:7892:20
    #3 0x55fb03850163 in read_stmt_results(st_mysql_stmt*, st_dynamic_string*, st_command*) /source/client/mysqltest.cc:8687:7
    #4 0x55fb03851034 in run_query_stmt(st_connection*, st_command*, char*, unsigned long, st_dynamic_string*, st_dynamic_string*) /source/client/mysqltest.cc:8876:9
    #5 0x55fb03853234 in run_query(st_connection*, st_command*, int) /source/client/mysqltest.cc:9675:5
    #6 0x55fb0385660e in main /source/client/mysqltest.cc:10511:2
    #7 0x7fe20b44c249 (/lib/x86_64-linux-gnu/libc.so.6+0x27249) (BuildId: c047672cae7964324658491e7dee26748ae5d2f8)

SUMMARY: MemorySanitizer: use-of-uninitialized-value /source/client/mysqltest.cc:7919:7 in append_stmt_result(st_dynamic_string*, st_mysql_stmt*, st_mysql_field*, unsigned int)
Exiting
mysqltest got signal 6
read_command_buf (0x731000000018): explain select fld3 from t2 ignore index (fld3) where fld3 = 'honeysuckle'
{noformat}

mysqltest.cc around "use of uninitalized variable" with final line "client/mysqltest.cc:7919"
{code:c++}
    /* Allocate data for the result of each field */
    for (i= 0; i < num_fields; i++)
    {
      uint max_length= fields[i].max_length + 1;
      my_bind[i].buffer_type= MYSQL_TYPE_STRING;
      my_bind[i].buffer= my_malloc(PSI_NOT_INSTRUMENTED, max_length,
                                   MYF(MY_WME|MY_FAE));
      my_bind[i].buffer_length= max_length;
      my_bind[i].is_null= &is_null[i];
      my_bind[i].length= &length[i];

      DBUG_PRINT("bind", ("col[%d]: buffer_type: %d, buffer_length: %lu",
                          i, my_bind[i].buffer_type, my_bind[i].buffer_length));
    }

    if (mysql_stmt_bind_result(stmt, my_bind))
      die("mysql_stmt_bind_result failed: %d: %s",
          mysql_stmt_errno(stmt), mysql_stmt_error(stmt));

    while ((error=mysql_stmt_fetch(stmt)) == 0)
    {
      for (i= 0; i < num_fields; i++)
        append_field(rs, i, &fields[i], (char*)my_bind[i].buffer,
                     *my_bind[i].length, *my_bind[i].is_null);
{code}

So my_bind was fully initialized, however after calling mysql_stmt_fetch the my_bind[i].length is uninitialized again.

{noformat:title=main-ab468e33aff110b44a31ce0350894906ff4bc757 with update C/C to b38e87200346c1ee5fd98c316bffb20df1ede5ff}
$ mysql-test/mtr --cursor-protocol main.pool_of_threads

main.pool_of_threads [ fail ]
        Test ended at 2025-03-26 00:08:02

CURRENT_TEST: main.pool_of_threads
==10504==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x55fb0384bf0c in append_stmt_result(st_dynamic_string*, st_mysql_stmt*, st_mysql_field*, unsigned int) /source/client/mysqltest.cc:7919:7
    #1 0x55fb03850163 in read_stmt_results(st_mysql_stmt*, st_dynamic_string*, st_command*) /source/client/mysqltest.cc:8687:7
    #2 0x55fb03851034 in run_query_stmt(st_connection*, st_command*, char*, unsigned long, st_dynamic_string*, st_dynamic_string*) /source/client/mysqltest.cc:8876:9
    #3 0x55fb03853234 in run_query(st_connection*, st_command*, int) /source/client/mysqltest.cc:9675:5
    #4 0x55fb0385660e in main /source/client/mysqltest.cc:10511:2
    #5 0x7fe20b44c249 (/lib/x86_64-linux-gnu/libc.so.6+0x27249) (BuildId: c047672cae7964324658491e7dee26748ae5d2f8)
    #6 0x7fe20b44c304 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x27304) (BuildId: c047672cae7964324658491e7dee26748ae5d2f8)
    #7 0x55fb037861c0 in _start (/build/client/mariadb-test+0x9a1c0) (BuildId: 0b9fb605ba645cf724ec0c8c01d2243bbb89da9b)

  Uninitialized value was stored to memory at
    #0 0x55fb0384bf05 in append_stmt_result(st_dynamic_string*, st_mysql_stmt*, st_mysql_field*, unsigned int) /source/client/mysqltest.cc:7920:20
    #1 0x55fb03850163 in read_stmt_results(st_mysql_stmt*, st_dynamic_string*, st_command*) /source/client/mysqltest.cc:8687:7
    #2 0x55fb03851034 in run_query_stmt(st_connection*, st_command*, char*, unsigned long, st_dynamic_string*, st_dynamic_string*) /source/client/mysqltest.cc:8876:9
    #3 0x55fb03853234 in run_query(st_connection*, st_command*, int) /source/client/mysqltest.cc:9675:5
    #4 0x55fb0385660e in main /source/client/mysqltest.cc:10511:2
    #5 0x7fe20b44c249 (/lib/x86_64-linux-gnu/libc.so.6+0x27249) (BuildId: c047672cae7964324658491e7dee26748ae5d2f8)

  Memory was marked as uninitialized
    #0 0x55fb037c35cd in __msan_allocated_memory (/build/client/mariadb-test+0xd75cd) (BuildId: 0b9fb605ba645cf724ec0c8c01d2243bbb89da9b)
    #1 0x55fb03927209 in my_malloc /source/mysys/my_malloc.c:120:7
    #2 0x55fb0384b8dd in append_stmt_result(st_dynamic_string*, st_mysql_stmt*, st_mysql_field*, unsigned int) /source/client/mysqltest.cc:7892:20
    #3 0x55fb03850163 in read_stmt_results(st_mysql_stmt*, st_dynamic_string*, st_command*) /source/client/mysqltest.cc:8687:7
    #4 0x55fb03851034 in run_query_stmt(st_connection*, st_command*, char*, unsigned long, st_dynamic_string*, st_dynamic_string*) /source/client/mysqltest.cc:8876:9
    #5 0x55fb03853234 in run_query(st_connection*, st_command*, int) /source/client/mysqltest.cc:9675:5
    #6 0x55fb0385660e in main /source/client/mysqltest.cc:10511:2
    #7 0x7fe20b44c249 (/lib/x86_64-linux-gnu/libc.so.6+0x27249) (BuildId: c047672cae7964324658491e7dee26748ae5d2f8)

SUMMARY: MemorySanitizer: use-of-uninitialized-value /source/client/mysqltest.cc:7919:7 in append_stmt_result(st_dynamic_string*, st_mysql_stmt*, st_mysql_field*, unsigned int)
Exiting
mysqltest got signal 6
read_command_buf (0x731000000018): explain select fld3 from t2 ignore index (fld3) where fld3 = 'honeysuckle'
{noformat}

mysqltest.cc around "use of uninitalized variable" with final line "client/mysqltest.cc:7919"
{code:c++}
    /* Allocate data for the result of each field */
    for (i= 0; i < num_fields; i++)
    {
      uint max_length= fields[i].max_length + 1;
      my_bind[i].buffer_type= MYSQL_TYPE_STRING;
      my_bind[i].buffer= my_malloc(PSI_NOT_INSTRUMENTED, max_length,
                                   MYF(MY_WME|MY_FAE));
      my_bind[i].buffer_length= max_length;
      my_bind[i].is_null= &is_null[i];
      my_bind[i].length= &length[i];

      DBUG_PRINT("bind", ("col[%d]: buffer_type: %d, buffer_length: %lu",
                          i, my_bind[i].buffer_type, my_bind[i].buffer_length));
    }

    if (mysql_stmt_bind_result(stmt, my_bind))
      die("mysql_stmt_bind_result failed: %d: %s",
          mysql_stmt_errno(stmt), mysql_stmt_error(stmt));

    while ((error=mysql_stmt_fetch(stmt)) == 0)
    {
      for (i= 0; i < num_fields; i++)
        append_field(rs, i, &fields[i], (char*)my_bind[i].buffer,
                     *my_bind[i].length, *my_bind[i].is_null);
{code}

So my_bind wasn't fully as the length and is_null where raw allocations. is calling mysql_stmt_fetch meant to initialise all my_bind members?

Daniel Black made changes - 2025-03-31 07:13

Description

{noformat:title=main-ab468e33aff110b44a31ce0350894906ff4bc757 with update C/C to b38e87200346c1ee5fd98c316bffb20df1ede5ff}
$ mysql-test/mtr --cursor-protocol main.pool_of_threads

main.pool_of_threads [ fail ]
        Test ended at 2025-03-26 00:08:02

CURRENT_TEST: main.pool_of_threads
==10504==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x55fb0384bf0c in append_stmt_result(st_dynamic_string*, st_mysql_stmt*, st_mysql_field*, unsigned int) /source/client/mysqltest.cc:7919:7
    #1 0x55fb03850163 in read_stmt_results(st_mysql_stmt*, st_dynamic_string*, st_command*) /source/client/mysqltest.cc:8687:7
    #2 0x55fb03851034 in run_query_stmt(st_connection*, st_command*, char*, unsigned long, st_dynamic_string*, st_dynamic_string*) /source/client/mysqltest.cc:8876:9
    #3 0x55fb03853234 in run_query(st_connection*, st_command*, int) /source/client/mysqltest.cc:9675:5
    #4 0x55fb0385660e in main /source/client/mysqltest.cc:10511:2
    #5 0x7fe20b44c249 (/lib/x86_64-linux-gnu/libc.so.6+0x27249) (BuildId: c047672cae7964324658491e7dee26748ae5d2f8)
    #6 0x7fe20b44c304 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x27304) (BuildId: c047672cae7964324658491e7dee26748ae5d2f8)
    #7 0x55fb037861c0 in _start (/build/client/mariadb-test+0x9a1c0) (BuildId: 0b9fb605ba645cf724ec0c8c01d2243bbb89da9b)

  Uninitialized value was stored to memory at
    #0 0x55fb0384bf05 in append_stmt_result(st_dynamic_string*, st_mysql_stmt*, st_mysql_field*, unsigned int) /source/client/mysqltest.cc:7920:20
    #1 0x55fb03850163 in read_stmt_results(st_mysql_stmt*, st_dynamic_string*, st_command*) /source/client/mysqltest.cc:8687:7
    #2 0x55fb03851034 in run_query_stmt(st_connection*, st_command*, char*, unsigned long, st_dynamic_string*, st_dynamic_string*) /source/client/mysqltest.cc:8876:9
    #3 0x55fb03853234 in run_query(st_connection*, st_command*, int) /source/client/mysqltest.cc:9675:5
    #4 0x55fb0385660e in main /source/client/mysqltest.cc:10511:2
    #5 0x7fe20b44c249 (/lib/x86_64-linux-gnu/libc.so.6+0x27249) (BuildId: c047672cae7964324658491e7dee26748ae5d2f8)

  Memory was marked as uninitialized
    #0 0x55fb037c35cd in __msan_allocated_memory (/build/client/mariadb-test+0xd75cd) (BuildId: 0b9fb605ba645cf724ec0c8c01d2243bbb89da9b)
    #1 0x55fb03927209 in my_malloc /source/mysys/my_malloc.c:120:7
    #2 0x55fb0384b8dd in append_stmt_result(st_dynamic_string*, st_mysql_stmt*, st_mysql_field*, unsigned int) /source/client/mysqltest.cc:7892:20
    #3 0x55fb03850163 in read_stmt_results(st_mysql_stmt*, st_dynamic_string*, st_command*) /source/client/mysqltest.cc:8687:7
    #4 0x55fb03851034 in run_query_stmt(st_connection*, st_command*, char*, unsigned long, st_dynamic_string*, st_dynamic_string*) /source/client/mysqltest.cc:8876:9
    #5 0x55fb03853234 in run_query(st_connection*, st_command*, int) /source/client/mysqltest.cc:9675:5
    #6 0x55fb0385660e in main /source/client/mysqltest.cc:10511:2
    #7 0x7fe20b44c249 (/lib/x86_64-linux-gnu/libc.so.6+0x27249) (BuildId: c047672cae7964324658491e7dee26748ae5d2f8)

SUMMARY: MemorySanitizer: use-of-uninitialized-value /source/client/mysqltest.cc:7919:7 in append_stmt_result(st_dynamic_string*, st_mysql_stmt*, st_mysql_field*, unsigned int)
Exiting
mysqltest got signal 6
read_command_buf (0x731000000018): explain select fld3 from t2 ignore index (fld3) where fld3 = 'honeysuckle'
{noformat}

mysqltest.cc around "use of uninitalized variable" with final line "client/mysqltest.cc:7919"
{code:c++}
    /* Allocate data for the result of each field */
    for (i= 0; i < num_fields; i++)
    {
      uint max_length= fields[i].max_length + 1;
      my_bind[i].buffer_type= MYSQL_TYPE_STRING;
      my_bind[i].buffer= my_malloc(PSI_NOT_INSTRUMENTED, max_length,
                                   MYF(MY_WME|MY_FAE));
      my_bind[i].buffer_length= max_length;
      my_bind[i].is_null= &is_null[i];
      my_bind[i].length= &length[i];

      DBUG_PRINT("bind", ("col[%d]: buffer_type: %d, buffer_length: %lu",
                          i, my_bind[i].buffer_type, my_bind[i].buffer_length));
    }

    if (mysql_stmt_bind_result(stmt, my_bind))
      die("mysql_stmt_bind_result failed: %d: %s",
          mysql_stmt_errno(stmt), mysql_stmt_error(stmt));

    while ((error=mysql_stmt_fetch(stmt)) == 0)
    {
      for (i= 0; i < num_fields; i++)
        append_field(rs, i, &fields[i], (char*)my_bind[i].buffer,
                     *my_bind[i].length, *my_bind[i].is_null);
{code}

So my_bind wasn't fully as the length and is_null where raw allocations. is calling mysql_stmt_fetch meant to initialise all my_bind members?

{noformat:title=main-ab468e33aff110b44a31ce0350894906ff4bc757 with update C/C to b38e87200346c1ee5fd98c316bffb20df1ede5ff}
$ mysql-test/mtr --cursor-protocol main.pool_of_threads

main.pool_of_threads [ fail ]
        Test ended at 2025-03-26 00:08:02

CURRENT_TEST: main.pool_of_threads
==10504==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x55fb0384bf0c in append_stmt_result(st_dynamic_string*, st_mysql_stmt*, st_mysql_field*, unsigned int) /source/client/mysqltest.cc:7919:7
    #1 0x55fb03850163 in read_stmt_results(st_mysql_stmt*, st_dynamic_string*, st_command*) /source/client/mysqltest.cc:8687:7
    #2 0x55fb03851034 in run_query_stmt(st_connection*, st_command*, char*, unsigned long, st_dynamic_string*, st_dynamic_string*) /source/client/mysqltest.cc:8876:9
    #3 0x55fb03853234 in run_query(st_connection*, st_command*, int) /source/client/mysqltest.cc:9675:5
    #4 0x55fb0385660e in main /source/client/mysqltest.cc:10511:2
    #5 0x7fe20b44c249 (/lib/x86_64-linux-gnu/libc.so.6+0x27249) (BuildId: c047672cae7964324658491e7dee26748ae5d2f8)
    #6 0x7fe20b44c304 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x27304) (BuildId: c047672cae7964324658491e7dee26748ae5d2f8)
    #7 0x55fb037861c0 in _start (/build/client/mariadb-test+0x9a1c0) (BuildId: 0b9fb605ba645cf724ec0c8c01d2243bbb89da9b)

  Uninitialized value was stored to memory at
    #0 0x55fb0384bf05 in append_stmt_result(st_dynamic_string*, st_mysql_stmt*, st_mysql_field*, unsigned int) /source/client/mysqltest.cc:7920:20
    #1 0x55fb03850163 in read_stmt_results(st_mysql_stmt*, st_dynamic_string*, st_command*) /source/client/mysqltest.cc:8687:7
    #2 0x55fb03851034 in run_query_stmt(st_connection*, st_command*, char*, unsigned long, st_dynamic_string*, st_dynamic_string*) /source/client/mysqltest.cc:8876:9
    #3 0x55fb03853234 in run_query(st_connection*, st_command*, int) /source/client/mysqltest.cc:9675:5
    #4 0x55fb0385660e in main /source/client/mysqltest.cc:10511:2
    #5 0x7fe20b44c249 (/lib/x86_64-linux-gnu/libc.so.6+0x27249) (BuildId: c047672cae7964324658491e7dee26748ae5d2f8)

  Memory was marked as uninitialized
    #0 0x55fb037c35cd in __msan_allocated_memory (/build/client/mariadb-test+0xd75cd) (BuildId: 0b9fb605ba645cf724ec0c8c01d2243bbb89da9b)
    #1 0x55fb03927209 in my_malloc /source/mysys/my_malloc.c:120:7
    #2 0x55fb0384b8dd in append_stmt_result(st_dynamic_string*, st_mysql_stmt*, st_mysql_field*, unsigned int) /source/client/mysqltest.cc:7892:20
    #3 0x55fb03850163 in read_stmt_results(st_mysql_stmt*, st_dynamic_string*, st_command*) /source/client/mysqltest.cc:8687:7
    #4 0x55fb03851034 in run_query_stmt(st_connection*, st_command*, char*, unsigned long, st_dynamic_string*, st_dynamic_string*) /source/client/mysqltest.cc:8876:9
    #5 0x55fb03853234 in run_query(st_connection*, st_command*, int) /source/client/mysqltest.cc:9675:5
    #6 0x55fb0385660e in main /source/client/mysqltest.cc:10511:2
    #7 0x7fe20b44c249 (/lib/x86_64-linux-gnu/libc.so.6+0x27249) (BuildId: c047672cae7964324658491e7dee26748ae5d2f8)

SUMMARY: MemorySanitizer: use-of-uninitialized-value /source/client/mysqltest.cc:7919:7 in append_stmt_result(st_dynamic_string*, st_mysql_stmt*, st_mysql_field*, unsigned int)
Exiting
mysqltest got signal 6
read_command_buf (0x731000000018): explain select fld3 from t2 ignore index (fld3) where fld3 = 'honeysuckle'
{noformat}

mysqltest.cc around "use of uninitalized variable" with final line "client/mysqltest.cc:7919"
{code:c++}
    /* Allocate data for the result of each field */
    for (i= 0; i < num_fields; i++)
    {
      uint max_length= fields[i].max_length + 1;
      my_bind[i].buffer_type= MYSQL_TYPE_STRING;
      my_bind[i].buffer= my_malloc(PSI_NOT_INSTRUMENTED, max_length,
                                   MYF(MY_WME|MY_FAE));
      my_bind[i].buffer_length= max_length;
      my_bind[i].is_null= &is_null[i];
      my_bind[i].length= &length[i];

      DBUG_PRINT("bind", ("col[%d]: buffer_type: %d, buffer_length: %lu",
                          i, my_bind[i].buffer_type, my_bind[i].buffer_length));
    }

    if (mysql_stmt_bind_result(stmt, my_bind))
      die("mysql_stmt_bind_result failed: %d: %s",
          mysql_stmt_errno(stmt), mysql_stmt_error(stmt));

    while ((error=mysql_stmt_fetch(stmt)) == 0)
    {
      for (i= 0; i < num_fields; i++)
        append_field(rs, i, &fields[i], (char*)my_bind[i].buffer,
                     *my_bind[i].length, *my_bind[i].is_null);
{code}

So my_bind wasn't fully initialized as the length and is_null where raw allocations. Is calling mysql_stmt_fetch meant to initialise all my_bind members?

Georg Richter made changes - 2025-03-31 07:34

Fix Version/s		3.1.29 [ 30105 ]
Fix Version/s		3.3.16 [ 30107 ]
Fix Version/s		3.4.6 [ 30109 ]

People

Assignee:: Georg Richter

Reporter:: Daniel Black

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2025-03-26 00:26

Updated:: 2025-03-31 09:02

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Connector/C

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration